Caching with DNSMasq and optionally with DNSSEC

DNS lookups can slow down any system they aren’t quick enough. Or if you have a server that’s doing reverse lookups.

So instead of your computer or server making hundreds or thousands of unneeded dns requests.

Setting up

The config for dnsmasq is in /etc/dnsmasq.conf

Here’s some of the configurations I like to use.

This is where we set the file that will have the actual dns servers

resolv-file=/etc/resolv.dnsmasq.conf

Never forward plain names (without a dot or domain part)

domain-needed

Never forward addresses in the non-routed address spaces.

bogus-priv

If you use OpenDNS servers, set this do use servers in order.

strict-order

Also, if you use OpenDNS, you’ll need this line so it doesn’t redirect google queries

server=/www.google.com/8.8.8.8

If you have your dns on a remote server, using something like OpenVPN or ssh to route your traffic, you’ll need to bind it

interface=tun0
no-dhcp-interface=tun0

Now put your actual dns servers in /etc/resolv.dnsmasq.conf

# OpenDNS IPv4 nameservers
nameserver 208.67.222.222
nameserver 208.67.220.220

# OpenDNS IPv6 nameservers
nameserver 2620:0:ccc::2
nameserver 2620:0:ccd::2

And change your /etc/resolv.conf to be 127.0.0.1

You may also have to disable NetworkManager from changing the dns: In /etc/NetworkManager/NetworkManager.conf

[main]
#dns=default
dns=none

DNSSEC

Domain Name System Security Extensions (DNSSEC) is a set of additions to the dns protocol to make it more secure. It uses the domain’s signed requests to make sure they are actually valid.

In the /etc/dnsmasq.conf add or uncomment these lines to enable DNSSEC.

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security.

dnssec-check-unsigned

The above trust-anchors.conf file is from the main trust using the values from https://data.iana.org/root-anchors/root-anchors.xml

The current one I have is (which you can verify at the above url:

# The root DNSSEC trust anchor, valid as at 18/03/2016

# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

To verify if the DNSSEC is working, got to https://www.dnssec-tools.org/

Some tips on dnsmasq

Resolv.conf tips